This week’s ransomware news was dominated by a Royal ransomware attack on the city of Dallas that destroyed part of the IT infrastructure.

The attack happened early Monday, affecting the Dallas police dispatch system and the public library’s computer network. Other systems, including the City’s website, have been shut down over time.

On Wednesday, the city’s network printers began printing ransom notes following the attack. BleepingComputer obtained a screenshot of this note, allowing us to identify that the Operation Royal ransomware was behind the attack.

Although it may seem counterintuitive to target a local government, Bill Siegel of the ransomware incident response firm Dishes told BleepingComputer that about 35% of the public sector cases they handled paid a ransom.

This includes local governments, schools, police or other publicly funded entities.

“Historical public sector victims pay ransoms in 35% of the cases we handled. This is 10 percentage points lower than the overall industry-wide average in Q1 2023 (45%)” , Siegel told BleepingComputer.

“I would add that the actual rate is probably even lower because public sector victims are much less likely to seek external help from IRs, especially if they are very small, so there are probably a large number of incidents where the public sector victim simply deals with the impact and doesn’t even bother to consider hiring the cybercriminal responsible.”

Regarding other ransomware attacks this week, we learned:

Law enforcement also scored a victory this week when the The FBI Announced It Seized Nine Crypto Exchanges used to launder ransomware payments and stolen cryptocurrency.

Finally, an interesting report was published by WithSecure regarding malicious actors targeting Veeam backup servers for initial access to corporate networks.

Contributors and those who provided new ransomware information and stories this week include: @malwhunterteam, @serghei, @demonslay335, @billtoulas, @Ionut_Ilascu, @fwosar, @LawrenceAbrams, @BleepinComputer, @Seifreed, @AlvieriD, @WithSecure, @PogoWasRight, @pcrisk, @siri_urz, @Unit42_IntelAnd @BrettCallow.

April 29, 2023

Hackers Target Vulnerable Veeam Backup Servers Exposed Online

Veeam backup servers are targeted by at least one group of malicious actors known to work with several high profile ransomware gangs.

May 1, 2023

Hackers leak images to taunt response to Western Digital cyberattack

Ransomware operation ALPHV, aka BlackCat, released screenshots of internal emails and video conferences stolen from Western Digital, indicating they likely had continued access to company systems even as the company was responding to the breach.

May 2, 2023

FBI seizes 9 crypto exchanges used to launder ransomware payments

The FBI and Ukrainian police seized nine cryptocurrency exchange websites that facilitated money laundering for scammers and cybercriminals, including ransomware actors.

New variants of STOP Ransomware

Risk found new STOP ransomware variants that append .saba, .sato, and .fofd extensions.

New variant of Dharma ransomware

PCrisk has found a new Dharma Ransomware variant that adds the .h3r extension.

New variant of Phobos ransomware

PCrisk has found a new Phobos Ransomware variant that adds the .BOOM extension.

New variant of Xorist ransomware

PCrisk has found a new Xorist Ransomware variant that adds the .CrypBits256PT2 extension and drops a ransom note named HOW TO DECRYPTE .txt FILES.

New variant of MedusaLocker ransomware

PCrisk has found a new variant of MedusaLocker Ransomware which adds the .attacksystem extension.

New Zhong ransomware

PCrisk has found new ransomware that adds the .zhong extension and drops a ransom note named Restore.txt.

May 3, 2023

Brightline data breach affects 783,000 pediatric mental health patients

Pediatric mental health provider Brightline warns patients it suffered a data breach affecting 783,606 people after a ransomware gang stole data using a zero-day vulnerability in its file-sharing platform secure Fortra GoAnywhere MFT.

City of Dallas Hit by Royal Ransomware Attack Affecting IT Services

The city of Dallas, Texas suffered a Royal ransomware attack, forcing it to shut down some of its computer systems to prevent the attack from spreading.

New variant of Rec_rans ransomware

PCrisk has found the new Rec_rans Ransomware which adds the .rec_rans extension and drops a ransom note named HOW_TO_RECOVERY_FILES.txt.

New BlackSuit ransomware

S!Ri, MalwareHunterTeamAnd Unit 42 found the new BlackSuit ransomware that targets Windows and VMware ESXi. He adds the .black costume extension and drops a ransom note named README.BlackSuit.txt.

May 4, 2023

Ransomware gang hijacks university warning system to issue threats

The Avos ransomware gang hijacked Bluefield University’s emergency broadcast system, “RamAlert”, to send students and staff text messages and email alerts that their data had been stolen and would soon be published.

New variant of Xorist ransomware

PCrisk has found a new Xorist ransomware variant that adds the .btc-Apt2 extension and remove a ransom note name HOW TO DECRYPTE .txt FILES.

May 5, 2023

ALPHV Gang Claims Constellation Software Ransomware Attack

Diversified Canadian software company Constellation Software confirmed on Thursday that some of its systems had been hacked by threat actors who also stole personal information and business data.

It’s all for this week ! I hope everyone is having a good weekend!